[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-developers] FW: Cobalt RaQ 3 security hole?

Subject: Re: [cobalt-developers] FW: Cobalt RaQ 3 security hole?
From: "Brian Curtis" <admin@xxxxxxxxxxx>
Date: Fri Jul 21 09:40:13 2000
Organization: Pomfret Computer Technologies

> WTF?  Is it standard for Cobalt servers to compile Apache with the
> BIG_SECURITY_HOLE flag and run admserv as root/root?  Is this just a local
> issue, something whoever installed this on on the server did initially?  I
> obviously do NOT want to compile my copy of apache with BIG_SECURITY_HOLE
> just to get the admin interface working.  The only thing I can think of is
> changing the permissions on all the admin interface files to let another
> user execute the scripts, but is that going to open up something else?
>
> I highly suspect this is not an issue with all Cobalt RaQ 3's, because
> someone else would have had to come across this.  Can anyone clue me in on
> what I did wrong, if anything?
>
> Thanks,
> Chad

Any and all 'Web Based Admin Software' will need some sort of root/super
user permissions.  Otherwise (in your words), WTF would it do about
read/write permissions on system config files owned by root?

This is also the reason why there's a separate process and port for the
admin server.  IMO, it's better to have a customized Apache process running
as root to do the necessary modifications than some CGI script doing the
same thing.

BC

References:
- [cobalt-developers] FW: Cobalt RaQ 3 security hole?
  - From: Tony

Prev by Date: Re: [cobalt-developers] FW: Cobalt RaQ 3 security hole?
Next by Date: RE: [cobalt-developers] FW: Cobalt RaQ 3 security hole?
Previous by thread: Re: [cobalt-developers] FW: Cobalt RaQ 3 security hole?
Next by thread: [cobalt-developers] recovery disk

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index